CN1643839B - End-to-end protection of media stream encryption keys for voice-over-ip systems - Google Patents
End-to-end protection of media stream encryption keys for voice-over-ip systems Download PDFInfo
- Publication number
- CN1643839B CN1643839B CN038066874A CN03806687A CN1643839B CN 1643839 B CN1643839 B CN 1643839B CN 038066874 A CN038066874 A CN 038066874A CN 03806687 A CN03806687 A CN 03806687A CN 1643839 B CN1643839 B CN 1643839B
- Authority
- CN
- China
- Prior art keywords
- key
- server
- media stream
- servers
- ticket
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
Abstract
The present invention reduces the exposure of keying material to intermediary devices in a communication channel between first and second servers. In one embodiment, a second server receives a first half of media stream keys from a first server. The second server uses a Kerberos-based Application Request and tickets to communicate the second half of the media stream keys to the first server. Using this approach, the exposure of the media stream keys is reduced to only the servers.
Description
The cross reference of related application
The application is from common unsettled U.S. Provisional Patent Application No.60/367; 082 requires priority; It applies for that on March 22nd, 2002 name is called the end-to-end protection of the media stream cryptographic key of ip voice communication system, is hereby incorporated by; For all purposes, the same as proposing in full in this article.
Technical field
The present invention relates generally to secure data transmission, relate in particular to the transmission of secure data in the end to end communication system, this system uses call signaling through the intermediate conveyor interchange key.
Background technology
In current a lot of systems, the secure communication of digital information is very important.For example, in a typical ip voice communication (" voice-over-IP " or " VoIP ") system, call-management server (CMS) is operated by the VoIP ISP.CMS is connected with a digital telephone user, and is connected with another CMS that is positioned at remote location, and this long-range CMS is connected with another digital telephone user (or multimedia terminal adapter (MTA)) again.This system allows the user on such as the catenet of internet, to converse mutually.
Certainly, the user hopes that their talk (with other exchanges data) is safe.But, one large-scale, unbodied network is like the internet; The high level fail safe of last maintenance is very difficult, and in network, information arrives before the destination of expectation, possibly pass through a plurality of servers; Switch, router, hub and other intermediate equipments.A kind of method of maintenance safe is to make in two CMS exchange conversations employed " media stream cryptographic key ".The method that also has several kinds of these type of keys of exchange in the prior art.For example, can use the PacketCable call signaling protocol.But these methods also require the key material transmission from first CMS to the second CMS, and, key material exchange subsequently from second CMS to first CMS.When key (or other data) when exchanging by this way, key must twice through intermediate equipment.Because all there is potential safety risk in each intermediate equipment to data, therefore hope the exposure of the equipment between key pair that minimizes.
In the system that uses the PacketCable method, two telephone sets, or the call signaling protocol between VoIP terminal or the MTA is called as based on network call signaling (NCS).Each call signaling interface between MTA and the CMS is protected in network layer.Under the situation of the MTA that each participation VoIP the connects CMS control independent by one, CMS is based on Session Initiation Protocol to the signaling protocol of CMS.SIP and other standards are used for confirming the exchange and the management of key, for example, and session key and media stream cryptographic key.And, can transmission of authentication information with other related datas with initialize session.These materials are generically and collectively referred to as key material.
Summary of the invention
The present invention has reduced the exposure of key material to the intermediate equipment on the communication channel between first and second servers.In one embodiment, second server receives from the first half of the media stream cryptographic key of first server.Second server use based on the application request of Kerberos and ticket (ticket) with the transmission medium stream secrete key the second half to first server.Make in this way, the exposure of media stream cryptographic key reduces to and only is exposed to first and second servers.
In one embodiment, the invention provides the method that is used for interchange key between first and second servers, wherein the communication path between first and second servers comprises one or more intermediate conveyor equipment.This method comprises, receives the part of media stream secrete key that is used for transfer of data subsequently at second server, and wherein this part of media stream secrete key is not protected during from first Server Transport to second server; Use a security mechanism protection to be used for the extention of the media stream cryptographic key of transmission subsequently; And the extention through above-mentioned one or more intermediate conveyor device transmission protected media stream secrete keys is to first server.
Description of drawings
Fig. 1 explains the signaling paths between the ISP;
The general introduction that security association is set up in Fig. 2 explanation; And
Fig. 3 explains the media stream key management information of the encrypted and authentication in the Kerberos structure.
Embodiment
Among Fig. 1, system 100 comprises first and second multimedia terminal adapters (MTA), is respectively MTA1 and MTA2.Call-management server (CMS) is provided by different ISPs.CMS1 receives from the data of MTA1 and carries out processing and send signaling, thereby sets up secure communication with expectation target.In this example, MTA2 is an expectation target.
Usually, voip call possibly occur in two independently between the VoIP ISP, and the two all has its oneself CMS.Call-signaling message is routed between the middle Xin Lingdaili (being called sip agent) between the CMS, and, even can be routed through the intermediary service supplier.
The calling that MTA1 initiates is controlled by CMS1.CMS1 uses routing iinformation that sip message is forwarded to sip agent-A1.Sip agent-A1 routes the message to boundary proxy-A1.Boundary proxy-A1 routes the message to intermediary service supplier B.Then, signaling message is routed through the several sip agents in the ISP B, and through the sip agent in the ISP C.This message finally arrives CMS2 and its destination at MTA2.
Note, can use the middle-agent of any amount.Usually, the middle-agent can be the equipment or the process of reception and transmitting signaling message or other information.The explanation of Xin Lingdaili is described in the middle of using, for example, at " SIP: Session initiation Protocol ", IETF request note 2 in March, 543,1999.Introduce this list of references whereby as a reference, for all purposes, the same as proposing in full in this article.
In a preferred embodiment, use PacketCable signaling system.Each CMS of this PacketCable system supposition carries out searching of a purpose telephone number with sip agent, and so obtains the address of the next main frame that the SIP signaling message should be forwarded to.This next one main frame can be purpose CMS or some middle sip agents.The sip agent that connects with another sip agent in different signalings territory is called boundary proxy.Single VoIP ISP can comprise one or more signalings territory usually.
Typically, when calling out signaling message of initiation MTA initialization, this initial message comprises half key material that is used for session.Call answering MTA, i.e. MAT2 in Fig. 1 instance is with the second half key material responses.When any MTA comprised key material in message, this key material was not only at these two CMS, and located to expose each middle-agent.Though each sip agent possibly had or operates by an ISP trusty, this signaling system exposes media stream cryptographic key at potential a large amount of node.Jeopardize the privacy that the safety of any one node all will jeopardize Media Stream.
When MTA1 produced its part (for example, half the) key material and sends it to CMS1, because CMS1 does not know the identity of CMS2, CMS1 had no way of selecting and can only send key material through middle sip agent.But, after first call-signaling message is received by CMS2, only expose half media stream cryptographic key at middle sip agent.
In this, none sip agent has complete media stream cryptographic key.And CMS2 knows the identity of CMS1.Now, CMS2 can be returned CMS1 before with its encryption at half remaining key.To pass back through SIP even return signaling message, but relevant media stream key management material can be encrypted, therefore, it only can be deciphered (then being forwarded to MTA1) by CMS1.This realization can make application layer security, because in the PacketCable system, first signaling message that turns back to CMS1 from CMS2 is through middle sip agent route.
A kind of method of half media stream cryptographic key on the protection CMS2 is for the digital certificate of CMS2 inquiry CMS1, to use its cryptographic key material then.Can use password accelerator at one or more CMS to improve the speed of this kind method.
Perhaps, CMS1 and CMS2 can consult a certain symmetric key in advance, and then CMS2 can encrypt half media stream cryptographic key with it.This just requires except the ipsec key that must safeguard, and CMS also should be application layer security and safeguards an independently encryption key table.A shortcoming of this method is that it requires more processing " expense " owing to the acquiring and maintaining key.
A preferred implementation of the present invention is used the popular authentication service of a Kerberos by name.Create for IPSec and key, the PacketCable system has been utilized the Kerberos key management, therefore can estimate that each MTA and CMS in the modular system will support Kerberos.Notice that though preferred implementation is used Kerberos mechanism, other authentication service or secure data transmission technology also can be used with the present invention.Can find details about the Kerberos IKMP, for example, in " Kerberos network authentication service (V5) " IETF request note 1 in September, 510,1993.
Shown in Figure 2 is to summarize how between a pair of CMS or sip agent, to set up IPSec SAs (security association) with Kerberos, and wherein IPSec SA comprises one group and is used to encrypt the symmetric key that divides into groups with authentication IP.Shown in Figure 2 be a CMS to KDC (KDC) authentication self, KDC is the authority trusty who shares symmetric key with its each client.It is accomplished through sending authentication (AS) request or ticket grant service (TGS) request message.Equally, KDC authentication self in giving the return messages (AS replys or TGS replys) of CMS1, and in replying, comprise a kerberos ticket card.
The kerberos ticket card is similar with digital certificate, because the ticket holder can be with it to the opposing party's authentication self.Perhaps, can use the digital certificate of any type.But unlike general digital certificate, the kerberos ticket card only is used for specific server of authentication---the server that ticket is specified.Also can use faster symmetric key cipher algorithm for encryption ticket and bring the expense of lacking than digital certificate.
Though preferred implementation of the present invention is used the kerberos ticket card, other execution modes also can use different security mechanism.For example, can use other (that is non-Kerberos) ticket forms.Ticket, certificate, authenticator, digital signature, or other security mechanisms can be used for replacing or replenish the used security mechanism of preferred implementation of the present invention.
CMS1 receives after the ticket, can be to CMS2 authentication self, and same, CMS2 also will be to CMS1 authentication self, and both can set up one group of ipsec key of sharing.The IPSec that specifies Kerberosization exists, for example, and " PacketCableTM safety standard ", PKT-SP-SEC-I02-001229, cable television laboratory company, in December, 2000.
A kind of preferred implementation allows CMS2 to obtain the kerberos ticket card of CMS1, uses this ticket to encrypt and half media stream cryptographic key of authentication and selected AES and data (that is, " key external member ") then.The kerberos authentication symbol that produces, media stream cryptographic key and selected key external member return in the SDP option as preceding.Noting, in the case, is the ticket that CMS2 obtains CMS1, opposite with situation shown in Figure 2.
Shown in Figure 3 is the media stream key management information of encrypted and authentication in the KRB-PRIV Kerberos structure.This KRB-PRIV structure front is that a Kerberos uses (AP) request object, and it comprises a kerberos ticket card.For convenience of description, at this relevant Kerberos object only is discussed.The details of Kerberos service can find in the list of references of being quoted and other suitable lists of references.With symmetric services secret key encryption ticket, this key is merely CMS1 and KDC shares, and is disabled for any other node in CMS2 or the network.Therefore, this special ticket can be deciphered and checking by CMS1 (predeterminated target of this SDP content), and can not be changed by CMS2, and CMS2 does not have the necessary service key of this ticket of deciphering.This means that ticket holder CMS2 is if the information of distorting in the ticket to be comprised will come to light.As stated, the execution mode that substitutes can use digital certificate, or other forms of safety protecting mechanism.
Ticket comprises a symmetric session keys.Though CMS2 can not decipher this ticket and read its content, it have its own and the transmission of KDC safety (for example, AS reply or the TGS response message in) the duplicate copy of session key.CMS2 has had this session key, and CMS1 can decipher this ticket and therefrom extract session key.In case CMS1 receives this ticket, it will share this session key with CMS2.
A preferred implementation of the present invention uses session key to encrypt and certification medium stream secrete key management information, comprises half media stream cryptographic key and selected key external member.Ticket sends with protected information, and therefore, CMS1 can extract deciphering and confirm the required session key of key management data.But for complete kerberos authentication, it is not enough only sending ticket.For can make CMS2 to the CMS1 authentication himself, it must send AP request (comprising ticket).
Unique additional messages that this solution will be introduced is the exchange for obtaining the CMS1 ticket between CMS2 and the KDC.But the kerberos ticket card is buffered usually and reuses up to a certain expired time---ticket may persist to many weeks among the PacketCable.Therefore, this expense only can influence the calling than small scale.And because CMS2 and CMS1 also directly exchange some signaling messages, they will ask ipsec security association at last, so same kerberos ticket card can be reused for this purpose.
In a preferred embodiment, ticket is the certification mark that is distributed to the client by KDC.In other information, ticket comprises customer name, particular server name and session key (symmetric cryptographic key).Customer name and session key need to be keep secret are also used another secret key encryption, and this key is called as service key.Service key is merely in KDC and the ticket specified server and knows.Because the client does not have this service key, therefore, he can not decipher ticket and change its content.Usually, the client also need know session key, because he can not obtain this key from ticket, so KDC sends the independent copy of same session key to the client.
For with ticket authentication a piece of news, the client should comprise ticket and authenticator in this message, the verification that this authenticator comprises an encryption of using the session-key computation that exists in the ticket with.Notice that the session key in this ticket uses the service key of server to encrypt.When the fixed server of ticket middle finger was received the message from the client, it can use its this ticket of service key deciphering, and the checking customer name also obtains session key.Then, this session key will be used to verify verification and and so this message of authentication of encryption.
Therefore, the present invention has reduced the exposure of key material.Though, about Kerberos the present invention has been discussed, other execution modes also can use additive method.But Kerberos is the indispensable part of PacketCable security system, so its use need not be introduced a new agreement or new key management infrastructure.And Kerberos provides a key management solution, thereby has avoided the relevant expense with PKI (PKIX).Be exposed to the problem of intermediate network elements for media stream cryptographic key, it provides an effective solution.
Notice that other execution modes of the present invention need not to be the system based on the PacketCable system.Scope of the present invention is only confirmed by appended claims.
Claims (12)
1. method that is used for interchange key between first and second servers, wherein, the communication path between first and second servers comprises one or more intermediate conveyor equipment, this method comprises:
Receive the part of media stream secrete key that will be used for transfer of data subsequently at second server, wherein this part of media stream secrete key is not protected during from first Server Transport to second server;
Use a security mechanism to protect the extention of the media stream cryptographic key that will be used for transmitting subsequently; And
Through one or more intermediate conveyor equipment the extention of protected media stream cryptographic key is transferred to first server.
2. the method for claim 1, wherein this security mechanism comprises and uses the kerberos ticket card.
3. the method for claim 1, wherein this security mechanism comprises the use certificate.
4. the method for claim 1, wherein this security mechanism comprises the use authenticator.
5. the method for claim 1, wherein this security mechanism comprises the use digital signature.
6. the method for claim 1, wherein encrypted, the authentication of medium streaming session information and be transferred to first server with the extention of said media stream cryptographic key.
7. the method for claim 1, wherein medium streaming session information is not encrypted.
8. the method for claim 1, wherein first and second servers are the call-management servers in the ip voice communication system.
9. the method for claim 1, further comprise from second server send comprise the kerberos ticket card application request to first server with authentication second server self.
10. method as claimed in claim 9 wherein uses the symmetric services key that this kerberos ticket card is encrypted.
11. method as claimed in claim 9, wherein this kerberos ticket card comprises a symmetric session keys.
12. a device that is used for interchange key between first and second servers, wherein the communication path between first and second servers comprises one or more intermediate conveyor equipment, and this device comprises
Receive the device of the part of media stream secrete key will be used for transfer of data subsequently at second server, wherein this part of media stream secrete key is not protected during from first Server Transport to second server;
Use the device of a security mechanism with the extention of the protection media stream cryptographic key that will be used for transmitting subsequently; And
The extention of protected media stream cryptographic key is transferred to the device of first server through one or more intermediate conveyor equipment.
Applications Claiming Priority (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US36708202P | 2002-03-22 | 2002-03-22 | |
| US60/367,082 | 2002-03-22 | ||
| US10/140,148 US6792534B2 (en) | 2002-03-22 | 2002-05-06 | End-to end protection of media stream encryption keys for voice-over-IP systems |
| US10/140,148 | 2002-05-06 | ||
| PCT/US2003/009078 WO2003084123A1 (en) | 2002-03-22 | 2003-03-20 | End-to-end protection of media stream encryption keys for voice-over-ip systems |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1643839A CN1643839A (en) | 2005-07-20 |
| CN1643839B true CN1643839B (en) | 2012-09-05 |
Family
ID=28044285
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN038066874A Expired - Lifetime CN1643839B (en) | 2002-03-22 | 2003-03-20 | End-to-end protection of media stream encryption keys for voice-over-ip systems |
Country Status (11)
| Country | Link |
|---|---|
| US (1) | US6792534B2 (en) |
| EP (1) | EP1490995B1 (en) |
| JP (1) | JP2005521355A (en) |
| KR (1) | KR101013427B1 (en) |
| CN (1) | CN1643839B (en) |
| AT (1) | ATE412286T1 (en) |
| AU (1) | AU2003218381A1 (en) |
| CA (1) | CA2479227C (en) |
| DE (1) | DE60324266D1 (en) |
| MX (1) | MXPA04009225A (en) |
| WO (1) | WO2003084123A1 (en) |
Families Citing this family (38)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7237257B1 (en) * | 2001-04-11 | 2007-06-26 | Aol Llc | Leveraging a persistent connection to access a secured service |
| CN1215386C (en) * | 2002-04-26 | 2005-08-17 | St微电子公司 | Method and hardware architecture for controlling a process or for processing data based on quantum soft computing |
| EP1514208A4 (en) * | 2002-06-06 | 2010-11-17 | Thomson Licensing | Broker-based interworking using hierarchical certificates |
| US7565537B2 (en) * | 2002-06-10 | 2009-07-21 | Microsoft Corporation | Secure key exchange with mutual authentication |
| US7805606B2 (en) * | 2002-07-29 | 2010-09-28 | Bea Systems, Inc. | Computer system for authenticating a computing device |
| CA2458123C (en) * | 2003-03-13 | 2012-05-15 | Synodon Inc. | Remote sensing of gas leaks |
| US7506370B2 (en) * | 2003-05-02 | 2009-03-17 | Alcatel-Lucent Usa Inc. | Mobile security architecture |
| US7417981B2 (en) * | 2003-10-15 | 2008-08-26 | Vonage Holdings Corp. | Method and apparatus for enhanced Internet Telephony |
| EP1533971A1 (en) * | 2003-11-18 | 2005-05-25 | STMicroelectronics S.r.l. | Method and system for establishing secure communication |
| DE10355418B4 (en) * | 2003-11-27 | 2008-04-03 | Siemens Ag | Security module for encrypting a telephone conversation |
| DE60315853D1 (en) | 2003-12-24 | 2007-10-04 | St Microelectronics Srl | Method for decrypting a message |
| US7308101B2 (en) * | 2004-01-22 | 2007-12-11 | Cisco Technology, Inc. | Method and apparatus for transporting encrypted media streams over a wide area network |
| US20050193201A1 (en) * | 2004-02-26 | 2005-09-01 | Mahfuzur Rahman | Accessing and controlling an electronic device using session initiation protocol |
| US20050195860A1 (en) * | 2004-03-05 | 2005-09-08 | General Instrument Corporation | Combining data streams conforming to mutually exclusive signaling protocols into a single IP telephony session |
| CN100384272C (en) * | 2004-05-28 | 2008-04-23 | 英华达(上海)电子有限公司 | Media data protecting method and system |
| JP4710267B2 (en) * | 2004-07-12 | 2011-06-29 | 株式会社日立製作所 | Network system, data relay device, session monitor system, and packet monitor relay device |
| US20060236385A1 (en) * | 2005-01-14 | 2006-10-19 | Citrix Systems, Inc. | A method and system for authenticating servers in a server farm |
| US8042165B2 (en) * | 2005-01-14 | 2011-10-18 | Citrix Systems, Inc. | Method and system for requesting and granting membership in a server farm |
| US7636940B2 (en) * | 2005-04-12 | 2009-12-22 | Seiko Epson Corporation | Private key protection for secure servers |
| WO2006116396A2 (en) * | 2005-04-26 | 2006-11-02 | Anders Joseph C | Voice over internet protocol system and method for processing of telephonic voice over a data network |
| US8385516B2 (en) * | 2005-04-29 | 2013-02-26 | Eclips, Inc. | Ringback blocking and replacement system |
| US8369507B2 (en) * | 2005-06-10 | 2013-02-05 | Eclips, Inc. | Ringback update system |
| ATE551793T1 (en) * | 2006-02-28 | 2012-04-15 | Certicom Corp | SYSTEM AND PROCEDURE FOR PRODUCT REGISTRATION |
| US8594075B2 (en) * | 2006-04-19 | 2013-11-26 | D & S Consultants, Inc. | Method and system for wireless VoIP communications |
| US20080062987A1 (en) * | 2006-09-11 | 2008-03-13 | D & S Consulting, Inc. | Method and system for wireless VoIP communications |
| US8023654B2 (en) * | 2006-12-18 | 2011-09-20 | Palo Alto Research Center Incorporated | Securing multimedia network communication |
| CN101207613B (en) * | 2006-12-21 | 2012-01-04 | 松下电器产业株式会社 | Method, system and apparatus for authentication of striding network area information communication |
| US20090019170A1 (en) * | 2007-07-09 | 2009-01-15 | Felix Immanuel Wyss | System and method for secure communication configuration |
| US8667151B2 (en) | 2007-08-09 | 2014-03-04 | Alcatel Lucent | Bootstrapping method for setting up a security association |
| CN101222324B (en) * | 2008-01-23 | 2012-02-08 | 中兴通讯股份有限公司 | Method and apparatus for implementing end-to-end media stream safety |
| US20100054478A1 (en) * | 2008-09-02 | 2010-03-04 | Raju Venkata Kolluru | Security asset management system |
| WO2011133135A1 (en) * | 2010-04-19 | 2011-10-27 | Comcast Cable Communications, Llc | Inbound call screening for particular accounts |
| US8467322B2 (en) | 2010-04-19 | 2013-06-18 | Comcast Cable Communications, Llc | Inbound call screening for particular accounts |
| US8661253B2 (en) * | 2011-07-18 | 2014-02-25 | Motorola Solutions, Inc. | Methods of providing an integrated and mutual authentication in a communication network |
| US9497185B2 (en) * | 2013-12-30 | 2016-11-15 | Google Inc. | Systems, methods, and computer program products for providing application validation |
| US10051000B2 (en) * | 2015-07-28 | 2018-08-14 | Citrix Systems, Inc. | Efficient use of IPsec tunnels in multi-path environment |
| CN106941487B (en) | 2017-02-24 | 2021-01-05 | 创新先进技术有限公司 | Data sending method and device |
| CN107454079B (en) * | 2017-08-04 | 2020-07-07 | 西安电子科技大学 | Lightweight equipment authentication and shared key negotiation method based on Internet of things platform |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4803725A (en) * | 1985-03-11 | 1989-02-07 | General Instrument Corp. | Cryptographic system using interchangeable key blocks and selectable key fragments |
| US5535276A (en) * | 1994-11-09 | 1996-07-09 | Bell Atlantic Network Services, Inc. | Yaksha, an improved system and method for securing communications using split private key asymmetric cryptography |
| CN1312991A (en) * | 1998-08-19 | 2001-09-12 | 夸尔柯姆股份有限公司 | Seque processing for authentication of wireless communications device |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| NO168860C (en) * | 1989-11-13 | 1992-04-08 | Alcatel Stk As | COMMUNICATION NETWORK |
| DE4406602C2 (en) * | 1994-03-01 | 2000-06-29 | Deutsche Telekom Ag | Security system for identifying and authenticating communication partners |
| US5745578A (en) * | 1996-06-17 | 1998-04-28 | Ericsson Inc. | Apparatus and method for secure communication based on channel characteristics |
| US6225888B1 (en) * | 1997-12-08 | 2001-05-01 | Nokia Telecommunications Oy | Authentication between communicating parties in a telecommunications network |
| US6377690B1 (en) * | 1998-09-14 | 2002-04-23 | Lucent Technologies Inc. | Safe transmission of broadband data messages |
-
2002
- 2002-05-06 US US10/140,148 patent/US6792534B2/en not_active Expired - Lifetime
-
2003
- 2003-03-20 EP EP03714378A patent/EP1490995B1/en not_active Expired - Lifetime
- 2003-03-20 AT AT03714378T patent/ATE412286T1/en not_active IP Right Cessation
- 2003-03-20 DE DE60324266T patent/DE60324266D1/en not_active Expired - Lifetime
- 2003-03-20 CN CN038066874A patent/CN1643839B/en not_active Expired - Lifetime
- 2003-03-20 AU AU2003218381A patent/AU2003218381A1/en not_active Abandoned
- 2003-03-20 WO PCT/US2003/009078 patent/WO2003084123A1/en active Application Filing
- 2003-03-20 MX MXPA04009225A patent/MXPA04009225A/en active IP Right Grant
- 2003-03-20 KR KR1020047015031A patent/KR101013427B1/en active IP Right Grant
- 2003-03-20 JP JP2003581403A patent/JP2005521355A/en active Pending
- 2003-03-20 CA CA2479227A patent/CA2479227C/en not_active Expired - Lifetime
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4803725A (en) * | 1985-03-11 | 1989-02-07 | General Instrument Corp. | Cryptographic system using interchangeable key blocks and selectable key fragments |
| US5535276A (en) * | 1994-11-09 | 1996-07-09 | Bell Atlantic Network Services, Inc. | Yaksha, an improved system and method for securing communications using split private key asymmetric cryptography |
| CN1312991A (en) * | 1998-08-19 | 2001-09-12 | 夸尔柯姆股份有限公司 | Seque processing for authentication of wireless communications device |
Non-Patent Citations (1)
| Title |
|---|
| A. Menezes, P. van Oorschot, S. Vanstone.Handbook of Applied Crytography.CRC Press,1997,501-502. * |
Also Published As
| Publication number | Publication date |
|---|---|
| KR101013427B1 (en) | 2011-02-14 |
| DE60324266D1 (en) | 2008-12-04 |
| EP1490995B1 (en) | 2008-10-22 |
| US20030182553A1 (en) | 2003-09-25 |
| MXPA04009225A (en) | 2004-11-26 |
| JP2005521355A (en) | 2005-07-14 |
| CN1643839A (en) | 2005-07-20 |
| WO2003084123A1 (en) | 2003-10-09 |
| ATE412286T1 (en) | 2008-11-15 |
| CA2479227C (en) | 2010-09-21 |
| EP1490995A1 (en) | 2004-12-29 |
| CA2479227A1 (en) | 2003-10-09 |
| KR20040104538A (en) | 2004-12-10 |
| EP1490995A4 (en) | 2005-06-22 |
| US6792534B2 (en) | 2004-09-14 |
| AU2003218381A1 (en) | 2003-10-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1643839B (en) | End-to-end protection of media stream encryption keys for voice-over-ip systems | |
| US9231919B2 (en) | Method and device for anonymous encrypted mobile data and speech communication | |
| EP1161806B1 (en) | Key management for telephone calls to protect signaling and call packets between cta's | |
| JP3816337B2 (en) | Security methods for transmission in telecommunications networks | |
| US6912656B1 (en) | Method and apparatus for sending encrypted electronic mail through a distribution list exploder | |
| US7568223B2 (en) | Internet protocol telephony security architecture | |
| KR101367038B1 (en) | Efficient key management system and method | |
| CA2391198C (en) | Method and apparatus for secure internet protocol communication in a call processing system | |
| US20050182937A1 (en) | Method and system for sending secure messages over an unsecured network | |
| CN102668497B (en) | Method and device allowing secure communication in a telecommunications protected against denial of service (Dos) and flooding attack | |
| JPH08504073A (en) | Key management method for point-to-point communication | |
| JP2001265729A (en) | Multicast system, authentication server terminal, multicast recipient terminal managing method and recording medium | |
| CN107094156B (en) | Secure communication method and system based on P2P mode | |
| US8738900B2 (en) | Method and devices for secure communications in a telecommunications network | |
| WO2011041962A1 (en) | Method and system for end-to-end session key negotiation which support lawful interception | |
| JP2006217446A (en) | Remote conference system | |
| US20180083947A1 (en) | Stateless Server-Based Encryption Associated With A Distribution List | |
| JP2002041461A (en) | Method and system for sharing conference material in electronic conference system | |
| KR102387911B1 (en) | Secure instant messaging method and attaratus thereof | |
| CN114765546B (en) | End-to-end hard encryption method, system, encryption equipment and key management server | |
| US20230292111A1 (en) | Method for managing identity by a transmitting entity in a 3gpp mcs network | |
| KR100567321B1 (en) | Method for reusing key using separated encryption key for sending and receiving | |
| KR101022788B1 (en) | Apparatus and method of data preservating in public key infrastructure based on group | |
| EP3398288A1 (en) | Method to establish a private and confidential connection | |
| JP2001345832A (en) | Mail system, mail guard device and operation terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: GENERAL INSTRUMENT HOLDING CO., LTD. Free format text: FORMER OWNER: GENERAL INSTRUMENT CORPORATION Effective date: 20130918 Owner name: MOTOROLA MOBILITY LLC Free format text: FORMER OWNER: GENERAL INSTRUMENT HOLDING CO., LTD. Effective date: 20130918 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20130918 Address after: Illinois State Patentee after: MOTOROLA MOBILITY LLC Address before: California, USA Patentee before: General Instruments Holding Co.,Ltd. Effective date of registration: 20130918 Address after: California, USA Patentee after: General Instruments Holding Co.,Ltd. Address before: American Pennsylvania Patentee before: GENERAL INSTRUMENT Corp. |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20160301 Address after: California, USA Patentee after: Google Technology Holdings LLC Address before: Illinois State Patentee before: MOTOROLA MOBILITY LLC |
|
| CX01 | Expiry of patent term |
Granted publication date: 20120905 |
|
| CX01 | Expiry of patent term |